Skip to content

tests: add script to update FIPS image in test-fips workflow #4736

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Sep 9, 2025
Merged

tests: add script to update FIPS image in test-fips workflow #4736

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
7339a0f
chore: update fips image sha
david-luna Aug 27, 2025
1ec0115
chore: update fips sha
david-luna Aug 27, 2025
0ce3cd6
chore: remove old sha
david-luna Aug 27, 2025
33b2c6b
chore: update dependabot config for docker
david-luna Aug 27, 2025
92159f7
chore: add script and update image sha
david-luna Sep 3, 2025
e006d1e
chore: revert dependabot change
david-luna Sep 3, 2025
7e409b5
chore: fix dependabot syntax
david-luna Sep 3, 2025
c49d4a5
Merge branch 'main' into luna-fips-image-fix
david-luna Sep 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/test-fips.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
# https://docs.github.com/en/actions/writing-workflows/choosing-where-your-workflow-runs/running-jobs-in-a-container
# docker run -it --rm --name fipsy docker.elastic.co/wolfi/chainguard-base-fips:latest
container:
image: docker.elastic.co/wolfi/chainguard-base-fips:latest@sha256:60d2da332337ed2252d3ad06d0b51416adf72448e61215103e9e73657dff63a9
image: docker.elastic.co/wolfi/chainguard-base-fips:latest@sha256:091dcf0eab7fc666cc929adbb52c6e1d6692c4b52f7f0a15905a9ad48960dbd6
credentials:
username: ${{ secrets.ELASTIC_DOCKER_USERNAME }}
password: ${{ secrets.ELASTIC_DOCKER_PASSWORD }}
Expand Down
72 changes: 72 additions & 0 deletions dev-utils/update-fips-image.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
#!/usr/bin/env node

/*
* Copyright Elasticsearch B.V. and other contributors where applicable.
* Licensed under the BSD 2-Clause License; you may not use this file except in
* compliance with the BSD 2-Clause License.
*/

'use strict';

// Update the wolfi image for testing with FIPS in the `test-fips.yml` workflow file.
// Assumes docker daemon is installed and running
//
// Usage:
// node dev-utils/update-fips-image.js

const { execSync } = require('child_process');
const fs = require('fs');
const path = require('path');

const TOP = path.resolve(__dirname, '..');
const file = path.resolve(TOP, '.github', 'workflows', 'test-fips.yml');

// ---- mainline

function main() {
// We should replace any reference to the fips image in the yml
// file. It's easy to detect since it has the form
// ```
// image: docker.elastic.co/wolfi/chainguard-base-fips:latest@sha256:SHA_VALUE
// ```
// So checking for a substring maybe is enough. We will replace that line for a
// new one.
const imageRef = 'docker.elastic.co/wolfi/chainguard-base-fips:latest';

// Get the latest and extract the SHA
const out = execSync(`docker image pull ${imageRef}`, { encoding: 'utf-8' });
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could perhaps use this command to resolve the digest without installing:

% docker buildx imagetools  inspect docker.elastic.co/wolfi/chainguard-base-fips:latest
Name:      docker.elastic.co/wolfi/chainguard-base-fips:latest
MediaType: application/vnd.oci.image.index.v1+json
Digest:    sha256:b30d05c61d6a318e15113d8542a745acb605941a5cb8b1321228ff671fc4a3c9

Manifests:
  Name:      docker.elastic.co/wolfi/chainguard-base-fips:latest@sha256:f36b3fc08b2759b07a6a9c907f9b2b327abd393ed56bbc1569fbbdbc0d49bc1b
  MediaType: application/vnd.oci.image.manifest.v1+json
  Platform:  linux/amd64

  Name:      docker.elastic.co/wolfi/chainguard-base-fips:latest@sha256:29ba15059f84be168cdd1785583a93cf7c01c6d84f441927e691e36bd441b61e
  MediaType: application/vnd.oci.image.manifest.v1+json
  Platform:  linux/arm64

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's a good idea. I merged this PR to get an updated sha and stop the failures of the. test-fips.yml workflow. But I'll do a follow up PR to change use this command and run it periodically with a cron expression.

let sha256;
for (const line of out.split('\n')) {
if (line.startsWith('Digest: ')) {
sha256 = line.slice(8);
}
}
console.log('Latest FIPS image sha256 is', sha256);

// Read the file content and replace any reference to the FIPS image
const content = fs.readFileSync(file, { encoding: 'utf-8' }).split('\n');
const search = `image: ${imageRef}@sha256:`;
let shouldUpdate = false;

for (let i = 0; i < content.length; i++) {
const line = content[i];
const isImageLine = line.indexOf(search) !== -1;
const isShaOutdated = isImageLine && line.indexOf(sha256) === -1;

if (isImageLine && isShaOutdated) {
console.log('Found FIPS image with outdated sha256. Updating');
shouldUpdate = true;
content[i] = line.replace(/image:.+/, `image: ${imageRef}@${sha256}`);
}
}

if (shouldUpdate) {
fs.writeFileSync(file, content.join('\n'), { encoding: 'utf-8' });
} else {
console.log('No outdated FIPS images found.');
}
}

if (require.main === module) {
main();
}
Loading